zeptoclaw 0.9.2

$ zeptoclaw agent --stream -m "Analyze our API for security issues"

🤖 ZeptoClaw — Streaming analysis...

  [web_fetch]        Fetching API docs...
  [shell]            Running integration tests...
  [longterm_memory]  Storing findings...

→ Found 12 endpoints, 3 missing auth headers, 1 open redirect
→ Saved findings to long-term memory under "api-audit"

✓ Analysis complete in 4.2s

We studied the best AI assistants — and their tradeoffs. OpenClaw's integrations without the 100MB. NanoClaw's security without the TypeScript bundle. NemoClaw's governance without the 2GB Docker container. PicoClaw's size without the bare-bones feature set. One Rust binary with 33 tools, 11 channels, 16 providers, and 6 sandbox runtimes.

Why ZeptoClaw

We studied what works — and what doesn't.

OpenClaw proved an AI assistant can handle 12 channels and 100+ skills. But it costs 100MB and 400K lines. NanoClaw proved security-first is possible. But it's still 50MB of TypeScript. NemoClaw proved enterprise governance matters — policy-locked sandboxes, federated inference routing. But it's a 2GB Docker container wrapping OpenClaw underneath, with zero built-in tools. PicoClaw proved AI assistants can run on $10 hardware. But it stripped out everything to get there.

ZeptoClaw took notes. The integrations, the security, the governance, the size discipline — without the tradeoffs each one made. One 6MB Rust binary that starts in 50ms, uses 6MB of RAM, and ships with container isolation, prompt injection detection, and a circuit breaker provider stack.

Security

AI agents execute code. Most frameworks trust that nothing will go wrong.

The OpenClaw ecosystem has seen CVE-2026-25253 (CVSS 8.8 — cross-site WebSocket hijacking to RCE), ClawHavoc (341 malicious skills, 9,000+ compromised installations), and 42,000 exposed instances with auth bypass. ZeptoClaw was built with this threat model in mind.

Every layer runs by default. No flags to remember, no config to enable.

Install

# One-liner (macOS / Linux)
curl -fsSL https://raw.githubusercontent.com/qhkm/zeptoclaw/main/install.sh | sh

# Homebrew
brew install qhkm/tap/zeptoclaw

# Docker
docker pull ghcr.io/qhkm/zeptoclaw:latest

# Build from source
cargo install zeptoclaw --git https://github.com/qhkm/zeptoclaw

The control panel is an optional compile-time feature. To use zeptoclaw panel or zeptoclaw serve, build/install with --features panel.

Uninstall

# Remove ZeptoClaw state (~/.zeptoclaw)
zeptoclaw uninstall --yes

# Also remove a direct-install binary from ~/.local/bin or /usr/local/bin
zeptoclaw uninstall --remove-binary --yes

# Package-managed installs still use their package manager
brew uninstall qhkm/tap/zeptoclaw
cargo uninstall zeptoclaw

Quick Start

# Interactive setup (walks you through API keys, channels, workspace)
zeptoclaw onboard

# Talk to your agent
zeptoclaw agent -m "Hello, set up my workspace"

# Stream responses token-by-token
zeptoclaw agent --stream -m "Explain async Rust"

# Use a built-in template
zeptoclaw agent --template researcher -m "Search for Rust agent frameworks"

# Process prompts in batch
zeptoclaw batch --input prompts.txt --output results.jsonl

# Start as a Telegram/Slack/Discord/Webhook gateway
zeptoclaw gateway

# With full container isolation per request
zeptoclaw gateway --containerized

Migrate from OpenClaw

Already running OpenClaw? ZeptoClaw can import your config and skills in one command.

# Auto-detect OpenClaw installation (~/.openclaw, ~/.clawdbot, ~/.moldbot)
zeptoclaw migrate

# Specify path manually
zeptoclaw migrate --from /path/to/openclaw

# Preview what would be migrated (no files written)
zeptoclaw migrate --dry-run

# Non-interactive (skip confirmation prompts)
zeptoclaw migrate --yes

The migration command:

• Converts provider API keys, model settings, and channel configs
• Copies skills to ~/.zeptoclaw/skills/
• Backs up your existing ZeptoClaw config before overwriting
• Validates the migrated config and reports any issues
• Lists features that can't be automatically ported

Supports JSON and JSON5 config files (comments, trailing commas, unquoted keys).

Deploy

Any VPS

curl -fsSL https://zeptoclaw.com/setup.sh | bash

Installs the binary and prints next steps. Run zeptoclaw onboard to configure providers and channels.

Providers

ZeptoClaw supports 16 LLM providers. All OpenAI-compatible endpoints work out of the box.

Configure in ~/.zeptoclaw/config.json or via environment variables:

{
  "providers": {
    "openrouter": { "api_key": "sk-or-..." },
    "ollama": { "api_key": "ollama" }
  },
  "agents": { "defaults": { "model": "anthropic/claude-sonnet-4" } }
}

export ZEPTOCLAW_PROVIDERS_GROQ_API_KEY=gsk_...

Any provider's base URL can be overridden with api_base for proxies or self-hosted endpoints. See the provider docs for full details.

Features

Core

Channels & Integration

Security & Ops

Full documentation — zeptoclaw.com/docs covers configuration, environment variables, CLI reference, deployment guides, and more.

Inspired By

ZeptoClaw is inspired by projects in the open-source AI agent ecosystem — OpenClaw, NemoClaw, NanoClaw, and PicoClaw — each taking a different approach to the same problem. NemoClaw's declarative policy model and digest-verified supply chain influenced our security thinking. ZeptoClaw's contribution is Rust's memory safety, async performance, and container isolation for production multi-tenant deployments — all in a 6MB binary that runs where Docker containers can't.

Usage

# CLI agent (one-shot or streaming)
zeptoclaw agent -m "Summarize this repo"
zeptoclaw agent --stream -m "Explain async Rust"
zeptoclaw agent --template coder -m "Add error handling to main.rs"

# Multi-channel gateway
zeptoclaw gateway                    # Telegram, Slack, Discord, etc.
zeptoclaw gateway --containerized    # With container isolation per request

# Memory, secrets, profiles
zeptoclaw memory set project:name "ZeptoClaw" --category project
zeptoclaw secrets encrypt
zeptoclaw hand activate researcher

# Batch, diagnostics, self-update
zeptoclaw batch --input prompts.txt --output results.jsonl
zeptoclaw doctor                     # Diagnose config/provider issues
zeptoclaw update                     # Self-update to latest release

Development

# Build
cargo build

# Run all tests (~3,900 total)
cargo nextest run --lib

# Lint and format (required before every PR)
cargo clippy -- -D warnings
cargo fmt -- --check

See CLAUDE.md for full architecture reference, AGENTS.md for coding guidelines, and docs/ for benchmarks, multi-tenant deployment, and performance guides.

Zepto Stack

ZeptoClaw is part of the Zepto stack — a modular system for running AI agents in production.

ZeptoPM        — orchestration, supervision, retries, job lifecycle
    │
    │  create(spec) + spawn(worker, args, env)
    ▼
ZeptoCapsule   — capsule creation, process isolation, resource enforcement
    │
    │  fork/namespace/microVM + stdio transport
    ▼
ZeptoClaw      — LLM calls, tool use, artifact production
    │
    └── JSON-line IPC over stdin/stdout back to ZeptoPM

Contributing

We welcome contributions! Please read CONTRIBUTING.md for:

• How to set up your fork and branch from upstream
• Issue-first workflow (open an issue before coding)
• Pull request process and quality gates
• Guides for adding new tools, channels, and providers

License

Apache 2.0 — see LICENSE

Disclaimer

ZeptoClaw is a pure open-source software project. It has no token, no cryptocurrency, no blockchain component, and no financial instrument of any kind. This project is not affiliated with any token or financial product.